I’m getting the following strange output in syslog on my host server. I’m not sure what is going on there as I don’t mount anything on my containers. I use a bind from the master. All my mounts are up and working. Have any of you seen this?
From what I remember, ionclean is some PHP process which tries to do some odd mount namespace operations, including the one you see in your logs. From past experience, the only real side-effect of this is the log entry, I don’t remember seeing any report of an actual problem being caused by it.
while it probably really means ‘command: sessionclean’. Hrrmf.
This is coming it seems from a protection feature created by systemd to reduce the risks caused by system services (if they are subverted of course), in this case the one created by Debian/Ubuntu packagers to clean old Php session files (service that is possibly never used anyway), but it seems that this protection feature is actually seen by apparmor as a forbidden access when used by containers and interpreted as a possible security issue.
Mandatory access control is a good idea but I’m not sure that it’s currently working very well with containers - and basic reporting is not very good.